Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA v7.2.1 and NAT

I have a configuration on a PIX firewall where I am NAT'ing outbound to a pool (a single IP address) and will be using that same IP address as a source for an inbound NAT.

When I had this configuration, I received the following error message.

6 Nov 17 2006 03:57:32 302014 192.168.70.2

192.168.122.2 Teardown TCP connection 7694 for

outside_vlan600:192.168.70.2/10405 to outside_vlan600:192.168.122.2/21 duration 0:00:00 bytes 0 Flow is a loopback

Can this be acheived? Your help is appreciated.

4 REPLIES
Bronze

Re: ASA v7.2.1 and NAT

hi marknigh1,

could you post your config it will help better understand what is done.

New Member

Re: ASA v7.2.1 and NAT

access-list inside_vlan254_pnat_outbound extended permit ip host 10.100.254.33 host 10.1.9.39

access-list inside_vlan254_pnat_outbound extended permit ip host 10.100.254.33 host 10.1.9.204

access-list inside_vlan254_pnat_outbound extended permit ip 10.101.40.0 255.255.252.0 host 10.1.10.94

access-list inside_vlan254_pnat_outbound extended permit ip host 10.100.254.33 host 10.1.26.30

access-list inside_vlan254_pnat_outbound extended permit ip host 10.100.254.33 host 10.1.26.60

access-list inside_vlan254_pnat_outbound extended permit icmp host 10.100.253.220 host 10.1.26.30

access-list inside_vlan254_pnat_outbound extended permit ip host 10.100.253.220 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V1 extended permit ip host 10.100.10.115 host 10.1.10.45

access-list outside_vlan600_cryptomap_20 extended permit ip host 192.168.122.2 host 10.1.26.30

access-list outside_vlan600_cryptomap_20 extended permit ip host 192.168.122.2 host 10.1.10.94

access-list outside_vlan600_cryptomap_20 extended permit ip host 192.168.122.2 host 10.1.10.45

access-list outside_vlan600_cryptomap_20 extended permit ip host 192.168.122.2 host 192.168.70.2

access-list outside_vlan600_cryptomap_20 extended permit ip host 192.168.122.151 host 192.168.70.20

access-list outside_vlan600_cryptomap_20 extended permit ip host 192.168.122.152 host 192.168.70.20

access-list outside_vlan600_cryptomap_20 extended permit ip 192.168.122.96 255.255.255.224 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V2 extended permit ip host 10.100.10.101 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V5 extended permit ip host 10.100.10.104 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V3 extended permit ip host 10.100.10.102 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V4 extended permit ip host 10.100.10.103 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V6 extended permit ip host 10.100.10.105 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V7 extended permit ip host 10.100.10.106 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V8 extended permit ip host 10.100.10.107 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V9 extended permit ip host 10.100.10.108 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V10 extended permit ip host 10.100.10.109 host 10.1.10.45

access-list inside_vlan254_nat_static_3 extended permit ip host 10.100.10.110 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V12 extended permit ip host 10.100.10.111 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V13 extended permit ip host 10.100.10.112 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V14 extended permit ip host 10.100.10.113 host 10.1.10.45

access-list inside_vlan254_pnat_outbound_V15 extended permit ip host 10.100.10.114 host 10.1.10.45

access-list inside_vlan254_nat_static_1 extended permit ip host 10.103.10.8 host 192.168.70.20

access-list inside_vlan254_nat_static extended permit ip host 10.102.10.108 host 192.168.70.20

access-list inside_vlan254_nat_static_2 extended permit tcp host 10.100.10.90 host 192.168.70.2 eq ftp

access-list inside_vlan254_nat_static_2 extended permit tcp host 10.100.10.90 host 192.168.70.2 range 52300 52399

New Member

Re: ASA v7.2.1 and NAT

global (outside_vlan600) 1 192.168.122.2 netmask 255.255.255.255

global (outside_vlan600) 600 interface

global (outside_vlan600) 2 192.168.122.96 netmask 255.255.255.224

global (DMZ_vlan505) 505 interface

nat (inside_vlan254) 0 access-list inside_vlan254_nat0_outbound

nat (inside_vlan254) 1 access-list inside_vlan254_pnat_outbound

nat (inside_vlan254) 600 0.0.0.0 0.0.0.0

static (inside_vlan254,outside_vlan600) 192.168.122.101 access-list inside_vlan254_pnat_outbound_V2

static (inside_vlan254,outside_vlan600) 192.168.122.102 access-list inside_vlan254_pnat_outbound_V3

static (inside_vlan254,outside_vlan600) 192.168.122.103 access-list inside_vlan254_pnat_outbound_V4

static (inside_vlan254,outside_vlan600) 192.168.122.104 access-list inside_vlan254_pnat_outbound_V5

static (inside_vlan254,outside_vlan600) 192.168.122.105 access-list inside_vlan254_pnat_outbound_V6

static (inside_vlan254,outside_vlan600) 192.168.122.106 access-list inside_vlan254_pnat_outbound_V7

static (inside_vlan254,outside_vlan600) 192.168.122.107 access-list inside_vlan254_pnat_outbound_V8

static (inside_vlan254,outside_vlan600) 192.168.122.108 access-list inside_vlan254_pnat_outbound_V9

static (inside_vlan254,outside_vlan600) 192.168.122.109 access-list inside_vlan254_pnat_outbound_V10

static (inside_vlan254,outside_vlan600) 192.168.122.110 access-list inside_vlan254_nat_static_3

static (inside_vlan254,outside_vlan600) 192.168.122.111 access-list inside_vlan254_pnat_outbound_V12

static (inside_vlan254,outside_vlan600) 192.168.122.112 access-list inside_vlan254_pnat_outbound_V13

static (inside_vlan254,outside_vlan600) 192.168.122.113 access-list inside_vlan254_pnat_outbound_V14

static (inside_vlan254,outside_vlan600) 192.168.122.114 access-list inside_vlan254_pnat_outbound_V15

static (inside_vlan254,outside_vlan600) 192.168.122.115 access-list inside_vlan254_pnat_outbound_V1

static (inside_vlan254,outside_vlan600) 192.168.122.151 access-list inside_vlan254_nat_static

static (inside_vlan254,outside_vlan600) 192.168.122.152 access-list inside_vlan254_nat_static_1

static (inside_vlan254,outside_vlan600) 192.168.122.2 access-list inside_vlan254_nat_static_2

I thought pasting the config would be easier than added it as an attachment.

Thanks again for your help.

New Member

Re: ASA v7.2.1 and NAT

Sorry for the confusion, I didn't need to paste the complete configuration. Here is the pertinant config.

access-list inside_vlan254_nat_static_2 extended permit tcp host 10.100.10.90 host 192.168.70.2 eq ftp

access-list inside_vlan254_nat_static_2 extended permit tcp host 10.100.10.90 host 192.168.70.2 range 52300 52399

static (inside_vlan254,outside_vlan600) 192.168.122.2 access-list inside_vlan254_nat_static_2

I also have a same IP address configured as a pool

global (outside_vlan600) 1 192.168.122.2 netmask 255.255.255.255

Here is the error message I received with the remote site initiated an FTP session into this ASA.

6 Nov 17 2006 03:57:32 302014 192.168.70.2

192.168.122.2 Teardown TCP connection 7694 for

outside_vlan600:192.168.70.2/10405 to outside_vlan600:192.168.122.2/21 duration 0:00:00 bytes 0 Flow is a loopback

Your help is appreciated.

418
Views
0
Helpful
4
Replies
CreatePlease login to create content